CVE-2025-62518

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
Type Confusion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Debian logo
Debian Releases
Debian Product
Codename
rust-astral-tokio-tar
trixie
no-dsa
forky
0.5.6-2
fixed
sid
0.5.6-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-astral-tokio-tar
questing
needs-triage
plucky
needs-triage
noble
dne
jammy
dne
Common Weakness Enumeration
References
https://edera.dev/stories/tarmageddon
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318
https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx
https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9
https://github.com/edera-dev/cve-tarmageddon